Transaction Confirmation
Transaction confirmation under PSD2 involves verifying the identity of the customer and ensuring the security of the transaction. It typically requires the use of two or more factors from the following categories:
- Knowledge factors: Something the end-customer knows, such as a password or PIN.
- Possession factors: Something the end-customer possesses, such as a mobile phone
- Inherence factors: Something inherent to the end-customer, such as biometric data (FingerId, FaceID etc.).
The purpose of using multiple factors is to provide an extra layer of security by requiring the end-customer to provide evidence from different categories. This helps to mitigate the risks of unauthorized access and fraud.
PSD2 Exemptions
In line with PSD2, certain outgoing wire transfers & sends may be exempted from Strong Customer Authentication (SCA).
- Low Value Transaction: Transactions below €30 or equivalent will not be challenged, unless the user exceeds a cumulative transfer amount of €100 (or equivalent) or 5 successful transactions or the transaction is deemed as high risk.
Please contact our support team to enable the Low Value exemption
- Trusted Beneficiaries: The destination instrument of the send transaction is the identity's trusted beneficiary list.
The status of transactions that do not require SCA will automatically move to EXECUTED and no further action is required.
Authentication factors
To verify a transaction, the logged-in user must have enrolled their mobile device for strong customer authentication.
In order to use AUTHY as an authentication factor, consumer users, corporate users and authorised users must be enrolled for Authy in order to perform authentication using this method.
We currently support SMS and AUTHY and BIOMETRICS as possible authentication factors. More channels are coming soon.
Transaction Confirmation
For transactions to be executed, the logged-in user must authenticate the transaction (unless the transaction is PSD2 exempted). These are the transactions that must be challenged:
-
Single Outgoing Wire Transfers
-
Bulk Outgoing Wire Transfers
-
Single Send Transaction
-
Bulk Send Transaction
You can use the challenges
/multi/challenges/otp/{channel}endpoint to verify a single, or multiple OWTs and Sends at the same time, by providing the transaction ID(s) in theresourceIdsfield. This endpoint should be used in favour of the deprecated endpoint that can only be used for single OWTs.
Read more on how to reduce the number of approvals required when executing transactions by using Beneficiaries.
Sending a Challenge
You can trigger the transaction verification process by calling the transaction challenge API. The user will be requested to perform a two-factor authentication based on the channel.
If SMS is used then a text message is sent to the mobile number associated with the user's credentials. For root users, this will be the mobile number provided when onboarding the corporate or consumer identity, while for authorised users, this will be the mobile number provided when onboarding the user.
If you would like to authenticate the second-factor via SMS the wire transfer SCA challenge API endpoint needs to be triggered, which will send an OTP via text message.
Alternatively, you can use Twilio AUTHY to send a push notification on the user's mobile phone.
Verifying the Challenge
If SMS was the selected channel, then you must build a page in your application where the user can enter the verification code that they received in the text message which you will need to submit to via the challenge verify API.
The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed within the 5 minutes.
In case of Twilio AUTHY, the user must approve the push notification submitted on their mobile phone. You will receive a webhook notification once the user approves or rejects the push notification.